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DETAILED ACTION 

1 . Claims 1 -36 have been examined. 

Claim Rejections - 35 USC §103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1-36 are rejected under 35 U.S.C. 103(a) as being unpatentable over Talpade et al. 
U.S. Pub. No. 20040148520 (hereinafter Talpade) in view of Fan et al. U.S. Pat. No. 6219706 
(hereinafter Fan). 

4. As per claim 1 , Talpade discloses a method of preventing an attack on a network, the 
method comprising the computer-implemented steps of: 

receiving an ICMP packet, wherein the ICMP packet carries a value associated with a 
connection in a connection-oriented transport protocol that identifies a transport protocol 
segment that caused a node to identify an error and to generate the ICMP packet in response to 
the error (Talpade: [0020] lines 4-5 and lines 13-15: analyze packet header for packet filtering 
for ICMP packet based on range of valid values of various packet header fields); 

and responding to the ICMP packet by updating a parameter associated with the transport 
protocol connection only if the packet filed value is determined to be valid (Talpade: [0017] lines 
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27-30: forwarding traffic/updating parameter associated with protocol connection if packet is not 
DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header carries a packet 
sequence value associated with the connection; obtaining a packet sequence value from the 
header; determining if the packet sequence value is valid; and responding to the ICMP packet by 
updating a parameter value associated with the transport protocol connection only if the packet 
sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-5 1 : using packet values to filter DoS packets). It would have been obvious to 
one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

5. As per claim 2, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the ICMP carries a portion of a TCP header associated with a 
TCP connection (Fan: column 10 lines 27-51). Same rationale applies here as above in rejecting 
claim 1 . 
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6. As per claim 3, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP "endpoint unreachable" error packet (Talpade: [0006]: error packets in denial of service 
attack). 

7. As per claim 4, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP packet that specifies that fragmentation is needed (Talpad: [0020] lines 4-6: ICMP 
messages). 

8. As per claim 5, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of packet sequence values that are allowed by the transport protocol for the connection 
(Fan: column 10 lines 27-51). 

9. As per claim 6, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of sent but unacknowledged TCP packet sequence values for the connection (Fan: column 
10 lines 27-51). 
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10. As per claim 7, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is exactly 
equal to one or more sequence values of one or more packets that are then-currently stored in a 
TCP re-transmission buffer, starting at a sequence value of a previously sent segment that 
resulted in receiving the ICMP packet (Fan: column 10 lines 35-41). 

11. As per claim 8, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the steps arc performed in a router acting as a TCP endpoint 
node (Talpade: [0020]: sensor/firewall). 

12. As per claim 9, Talpade as modified discloses the method of claim 1 . Talpade as 
modified further discloses wherein the steps are performed in a firewall device (Talpade: [0020]: 
packet filtering device/firewall; Fan: column 10 lines 27-51: firewall/packet filter). 

13. As per claim 10, Talpade discloses a method of preventing an attack on a network, the 
method comprising the computer-implemented steps of: 

receiving, at a TCP endpoint node in a TCP/IP packet-switched network (Talpad: [0020] 
line 1-5: monitor all traffic entering customer network that includes TCP/IP protocol), an ICMP 
packet, wherein the ICMP packet carries a value associated with a connection in a connection- 
oriented transport protocol that identifies a TCP segment that caused a node to identify an error 
and to generate the ICMP packet in response to the error (Talpade: [0020] lines 4-5 and lines 13- 
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15: analyze packet header for packet filtering for ICMP packet based on range of valid values of 
various packet header fields); 

and responding to the ICMP packet by updating a parameter associated with the transport 
protocol connection only if the packet filed value is determined to be valid (Talpad: [0017] lines 
27-30: forwarding traffic/updating parameter associated with protocol connection if packet is not 
DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header includes a packet 
sequence value associated with the connection; obtaining a packet sequence value from the 
header; determining if the packet sequence value is valid; and responding to the ICMP packet by 
updating a parameter value associated with the transport protocol connection only if the packet 
sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-5 1 : using packet values to filter DDoS packets). It would have been obvious 
to one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

Talpade as modified does not explicitly disclose updating MTU value associated with the 
TCP connection. However, Talpade discloses forwarding traffic if the packet value is valid 
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(Talpad: [0017] lines 27-30) and it would have obvious to one having ordinary skill in the art to 
take different measures to allow traffic including, but not limited to, updating MTU value to 
increase transmission rate to allow traffic. 

14. As per claim 11, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP "endpoint unreachable" error packet (Talpade: [0006]: error packets in denial of service 
attack). 

15. As per claim 12, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP packet that specifies that fragmentation is needed (Talpad: [0020] lines 4-6: ICMP 
messages). 

16. As per claim 13, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of packet sequence values that are allowed by the transport protocol for the connection 
(Fan: column 10 lines 27-51). 

17. As per claim 14, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
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the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of sent but unacknowledged TCP packet sequence values for the connection (Fan: column 
10 lines 27-51). 

18. As per claim 15, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is exactly 
equal to one or more sequence values of one or more packets that are then-currently stored in a 
TCP re-transmission buffer, starting at a sequence value of a previously sent segment that 
resulted in receiving the ICMP packet (Fan: column 10 lines 35-41). 

19. As per claim 16, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the steps are performed in a router acting as a TCP endpoint 
node (Talpade: [0020]: sensor/firewall). 

20. As per claim 17, Talpade as modified discloses the method of claim 10. Talpade as 
modified further discloses wherein the steps are performed in a firewall device (Talpade: [0020]: 
packet filtering device/firewall; Fan: column 10 lines 27-51: firewall/packet filter). 

21. As per claim 18, Talpade discloses a computer-readable medium that is selected from a 
group consisting of non-volatile, and volatile media, carrying one or more sequences of 
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instruction, which instructions, when executed by one or more processors, cause the one or more 
processors to perform the steps of: 

receiving an ICMP packet, wherein the ICMP packet carries a value associated with a 
connection in a connection-oriented transport protocol that identifies a transport protocol 
segment that caused a node to identify an error and to generate the ICMP packet in response to 
the error (Talpade: [0020] lines 4-5 and lines 13-15: analyze packet header for packet filtering 
for ICMP packet based on range of valid values of various packet header fields); 

and responding to the ICMP packet by updating a parameter associated with the transport 
protocol connection only if the packet filed value is determined to be valid (Talpad: [0017] lines 
27-30: forwarding traffic/updating parameter associated with protocol connection if packet is not 
DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header includes a packet 
sequence value associated with the connection; obtaining a packet sequence value from the 
header; determining if the packet sequence value is valid; and responding to the ICMP packet by 
updating a parameter value associated with the transport protocol connection only if the packet 
sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-5 1 : using packet values to filter DDoS packets). It would have been obvious 
to one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
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at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

22. As per claim 19, Talpade discloses an apparatus for preventing an attack on a network, 
comprising: 

means for receiving an ICMP packet, wherein the ICMP packet carries a value associated 
with a connection in a connection-oriented transport protocol that identifies a transport protocol 
segment that caused a node to identify an error and to generate the ICMP packet in response to 
the error (Talpade: [0020] lines 4-5 and lines 13-15: analyze packet header for packet filtering 
for ICMP packet based on range of valid values of various packet header fields); 

and means for responding to the ICMP packet by updating a parameter associated with 
the transport protocol connection only if the packet filed value is determined to be valid (Talpad: 
[0017] lines 27-30: forwarding traffic/updating parameter associated with protocol connection if 
packet is not DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header carries a packet 
sequence value associated with the connection; means for obtaining a packet sequence value 
from the header; means for determining if the packet sequence value is valid; and responding to 
the ICMP packet by updating a parameter value associated with the transport protocol 
connection only if the packet sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
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column 10 lines 27-5 1 : using packet values to filter DDoS packets). It would have been obvious 
to one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

23. As per claim 20, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP packet that includes a copy of a TCP header associated with a TCP connection (Fan: 
column 10 lines 27-51). Same rationale applies here as above in rejecting claim 1. 

24. As per claim 21, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP "endpoint unreachable" error packet (Talpade: [0006]: error packets in denial of service 
attack). 

25. As per claim 22, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of receiving an ICMP packet comprises receiving an 
ICMP packet that specifies that fragmentation is needed (Talpad: [0020] lines 4-6: ICMP 
messages). 
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26. As per claim 23, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of packet sequence values that are allowed by the transport protocol for the connection 
(Fan: column 10 lines 27-51). 

27. As per claim 24, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is within a 
range of sent but unacknowledged TCP packet sequence values for the connection (Fan: column 
10 lines 27-51). 

28. As per claim 25, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the step of authenticating the ICMP packet by determining if 
the packet sequence value is valid comprises determining if the packet sequence value is exactly 
equal to one or more sequence values of one or more packets that are then-currently stored in a 
TCP re-transmission buffer, starting at a sequence value of a previously sent segment that 
resulted in receiving the ICMP packet (Fan: column 10 lines 35-41). 
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29. As per claim 26, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the steps are performed in a router acting as a TCP endpoint 
node (Talpade: [0020]: sensor/firewall). 

30. As per claim 27, Talpade as modified discloses the apparatus of claim 19. Talpade as 
modified further discloses wherein the steps are performed in a firewall device (Talpade: [0020]: 
packet filtering device/firewall; Fan: column 10 lines 27-51: firewall/packet filter). 

31. As per claim 28, Talpade discloses a network clement, comprising: 

a network interface that is coupled to a data network for receiving one or more packet 
flows therefrom (Talpade: figure 2: filter router 230); 

a processor (Talpade: figure 2: filter router 230 contains processor); 

on or more stored sequence s of instruction which, when executed by the processor, cause 
the processor to perform the steps of: 

receiving an ICMP packet, wherein the ICMP packet carries a value associated with a 
connection in a connection-oriented transport protocol that identifies a transport protocol 
segment that caused a node to identify an error and to generate the ICMP packet in response to 
the error (Talpade: [0020] lines 4-5 and lines 13-15: analyze packet header for packet filtering 
for ICMP packet based on range of valid values of various packet header fields); 

responding to the ICMP packet by updating a parameter associated with the transport 
protocol connection only if the packet filed value is determined to be valid (Talpad: [0017] lines 
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27-30: forwarding traffic/updating parameter associated with protocol connection if packet is not 
DDoS packet/the packet value is valid). 

Talpade does not explicitly disclose wherein the portion of the header includes a packet 
sequence value associated with the connection; means for obtaining a packet sequence value 
from the header; means for determining if the packet sequence value is valid; and responding to 
the ICMP packet by updating a parameter value associated with the transport protocol 
connection only if the packet sequence value is determined to be valid. 

However, Fan discloses filtering packets based on the sequence number presented in the 
header portion of a packet and update the current session state if sequence value is valid (Fan: 
column 10 lines 27-5 1 : using packet values to filter DDoS packets). It would have been obvious 
to one having ordinary skill in the art to utilize the sequence number contained in the connection- 
oriented packet into the field value of the ICMP packet because they are analogous art used to 
control DoS attack. Therefore, it would have been obvious to one having ordinary skill in the art 
at the time of applicant's invention to combine the teachings of Fan within the system of Talpade 
because it allows packet filter to analyze invalid range of value presented in header for filtering 
purposes. 

32. As per claim 29, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of receiving an ICMP packet comprises receiving 
an ICMP packet that includes a copy of a TCP header associated with a TCP connection (Fan: 
column 10 lines 27-51). Same rationale applies here as above in rejecting claim 1. 
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33. As per claim 30, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of receiving an ICMP packet comprises receiving 
an ICMP "endpoint unreachable" error packet (Talpade: [0006]: error packets in denial of service 
attack). 

34. As per claim 3 1 , Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of receiving an ICMP packet comprises receiving 
an ICMP packet that specifies that fragmentation is needed (Talpad: [0020] lines 4-6: ICMP 
messages). 

35. As per claim 32, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of authenticating the ICMP packet by determining 
if the packet sequence value is valid comprises determining if the packet sequence value is 
within a range of packet sequence values that are allowed by the transport protocol for the 
connection (Fan: column 10 lines 27-51). 

36. As per claim 33, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of authenticating the ICMP packet by determining 
if the packet sequence value is valid comprises determining if the packet sequence value is 
within a range of sent but unacknowledged TCP packet sequence values for the connection (Fan: 
column 10 lines 27-51). 
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37. As per claim 34, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the step of authenticating the ICMP packet by determining 
if the packet sequence value is valid comprises determining if the packet sequence value is 
exactly equal to one or more sequence values of one or more packets that are then-currently 
stored in a TCP re-transmission buffer, starting at a sequence value of a previously sent segment 
that resulted in receiving the ICMP packet (Fan: column 10 lines 35-41). 

38. As per claim 35, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the steps arc performed in a router acting as a TCP 
endpointnode (Talpade: [0020]: sensor/firewall). 

39. As per claim 36, Talpade as modified discloses the network element of claim 28. Talpade 
as modified further discloses wherein the steps are performed in a firewall device (Talpade: 
[0020]: packet filtering device/firewall; Fan: column 10 lines 27-51 : firewall/packet filter). 

Response to Arguments 

40. Applicant's arguments filed on 2/10/09 have been fully considered but they are not 
persuasive. 

Regarding applicant's remarks, applicant mainly argues that the prior art of record does 
not discloses a sequence value that is used to by a node to identify error and generate ICMP 
packet in response to that value. However, the examiner disagrees. Talpade discloses that using a 
range value to filter packet and if the value is within certain range (Talpade: [0020]). The 
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filtering function allows nodes to communicate to each other through ICMP to determine 
whether the packets could be communicated or to prevent DoS attack. It would have been 
obvious to one having ordinary skill in the art to apply the sequence value of typical transport 
protocol packet within the ICMP packet to prevent denial of service attack and generate error 
message if the packet is not deliverable. Therefore, applicant's argument is traversed in light of 
above explanation. 

Conclusion 

4 1 . THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SHFN-HON CHEN whose telephone number is (571)272-3789. 
The examiner can normally be reached on Monday through Friday 8:30am to 5:30pm. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, William R. Korzuch can be reached on (571) 272-7589. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Shin-Hon Chen 
Primary Examiner 
Art Unit 2431 

/Shin-Hon Chen/ 

Primary Examiner, Art Unit 243 1 



